> On Tue, 22 Aug 2006 14:48
> Avishai Wool wrote:


> I agree with almost all the above except the statement
> "analyzing the firewall configuration files is *not* the right way"
> It's not very easy to do, certainly not easy to do *well*,
> but it is very possible!

Yes, it is very possible. That's not my point.

My point is, checking the firewall configuration doesn't guarantee you get what
you want. You have to trust the implementation to be sure the rules are
correctly applied.

That's why "analyzing the firewall configuration files is *not* the right way".
The right way is to analyze *how* the firewall applies the rules, not what are
the rules.

> if you are interested, you can find some academic papers
> about how it works at: http://www.eng.tau.ac.il/~yash/fw/index.html

As a member of IEEE and the Computer Society I allready know some of these
papers ;-)

firewall-wizards mailing list